QUESTION & ANSWER

FFIEC impact so far

By Editorial staff 17 Jan 2008 | SearchFinancialSecurity.com

Digg This!     StumbleUpon     Del.icio.us

What's your sense for compliance? Are most financial services institutions compliant--or close?
Michael L. Jackson: Our early kick-of-the-tires indications are that yes, the industry has responded positively to the guidance. Keep in mind, the agencies are not doing anything different outside the normal exam process. If an organization is scheduled for an exam, the exam will proceed and we will look at the guidance. If an institution is not scheduled for an exam, we will not go in specifically to look just at the guidance.

What are some of the concerns being expressed by institutions that may be struggling to comply?
Jackson: Some of the questions were around whether they should do security assessments around applications, or enterprise-wide. We left it up to the organization to decide what was best. Also, who could do the risk assessment?

That could be contracted out, but the institution is still ultimately responsible for it. Other concerns were around specific technologies. Before the guidance became effective, there was talk in the press about tokens being a preferred solution. We reiterated numerous times that there was no preferred solution.

The solutions had to come out of the banks' risk assessment and business decision.

What is the word on consumer pushback? Are consumers noticing the stronger authentication demands, and what's the impact on business?
Jackson: I don't have a great handle on that, but early indications are that consumers are curious about it and understand it impacts them and secures their funds more than before. The bankers I've talked to, there's not a wholesale rejection of it; consumers are OK with it, it's just something that's different.

What comes next for the regulation?
Jackson: The next steps are that we would continue to try to educate consumers on vulnerabilities and their habits. We have to look at implementation vulnerabilities; if they're not implemented properly, they could also create vulnerabilities in the technology. We need to look at technology risk. When you have new products in production, we have to see if there's any risk based on that. Institutions have to look at how it's impacted their business and how adoption has gone with customers.

Download the full interview with Michael L. Jackson at searchsecurity.com/ismag.

Tags: SEC and FDIC regulations,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT SEC and FDIC regulations Heartland Payment Systems to vigorously defend breach claims, CEO says SEC cracks down on kickback schemes SEC: 404 budgets filled with waste SEC suspends trading of 35 companies over spam SEC document offers clues on TJX security failings

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Federal Deposit Insurance Corporation (FDIC)  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary